Cyber Posture

CVE-2026-39842

CriticalPublic PoCRCE

Published: 15 April 2026

Published
15 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0007 20.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39842 is a critical-severity Code Injection (CWE-94) vulnerability in Openremote Openremote. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Prevents expression injection vulnerabilities by validating and sanitizing user-supplied JavaScript inputs to the Nashorn ScriptEngine before evaluation.

AC-3 Access Enforcement good match
prevent

Enforces authorized access to restrict JavaScript ruleset creation and execution to superusers only, blocking exploitation by write:rules role users.

AC-6 Least Privilege good match
prevent

Applies least privilege principle to ensure write:rules role lacks permissions for unrestricted JVM code execution, mitigating privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables exploitation of public-facing application (T1190) for privilege escalation to root via arbitrary RCE (T1068) using unsandboxed JavaScript eval in rules engine (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing,…

more

class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.

Deeper analysisAI

CVE-2026-39842 affects OpenRemote, an open-source IoT platform, specifically versions 1.21.0 and below. The vulnerability consists of two interrelated expression injection flaws in the rules engine that enable arbitrary code execution on the server. The JavaScript rules engine invokes user-supplied scripts through Nashorn's ScriptEngine.eval() without any sandboxing, class filtering, or access restrictions. Meanwhile, the authorization logic in RulesResourceImpl limits Groovy rules to superusers but leaves JavaScript rules accessible to any user with the write:rules role. Additionally, the Groovy rules engine defines a GroovyDenyAllFilter security measure, but its registration code is commented out, making the SandboxTransformer ineffective for superuser-created Groovy rules.

A non-superuser attacker with the write:rules role can exploit this by creating malicious JavaScript rulesets. These rulesets execute with unrestricted full JVM access, allowing remote code execution as root, arbitrary file reads, theft of environment variables including database credentials, and complete bypass of multi-tenant isolation to access data across all realms. The CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, linked to CWE-94 (Improper Control of Generation of Code) and CWE-917 (Improper Neutralization of Special Elements).

The OpenRemote security advisory (GHSA-7mqr-33rv-p3mp) and release notes for version 1.22.0 confirm the issue has been addressed in that update, recommending immediate upgrades for affected deployments.

Details

CWE(s)
CWE-94CWE-917

Affected Products

openremote
openremote
≤ 1.22.0

CVEs Like This One

CVE-2026-40882Same product: Openremote Openremote
CVE-2026-27495Shared CWE-94
CVE-2026-27574Shared CWE-94
CVE-2025-41243Shared CWE-917, CWE-94
CVE-2026-24781Shared CWE-94
CVE-2026-23830Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2026-25887Shared CWE-94
CVE-2026-31857Shared CWE-94
CVE-2026-3132Shared CWE-94

References